[Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
@ 2015-07-22 14:18 Paolo Bonzini
  2015-07-22 14:27 ` Daniel P. Berrange
  2015-07-23  1:35 ` Fam Zheng
  0 siblings, 2 replies; 4+ messages in thread
From: Paolo Bonzini @ 2015-07-22 14:18 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-stable

This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer.  scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Cc: qemu-stable@nongnu.org
---
 hw/scsi/scsi-bus.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f0..f0ae462 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
 
     cmd->lba = -1;
-    cmd->len = scsi_cdb_length(buf);
+    len = scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
 
+    cmd->len = len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc = scsi_req_stream_xfer(cmd, dev, buf);
-- 
2.4.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
  2015-07-22 14:18 [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Paolo Bonzini
@ 2015-07-22 14:27 ` Daniel P. Berrange
  2015-07-22 16:22   ` Paolo Bonzini
  2015-07-23  1:35 ` Fam Zheng
  1 sibling, 1 reply; 4+ messages in thread
From: Daniel P. Berrange @ 2015-07-22 14:27 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: qemu-devel, qemu-stable

On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> and newer.  scsi_cdb_length returns -1 as an error value, but the
> caller does not check it.
> 
> Luckily, the massive overflow means that QEMU will just SIGSEGV,
> making the impact much smaller.

FWIW, would be nice to mention which disk frontends could trigger
this bug. eg was it all of the devices in hw/scsi/ or just a subset ?

> 
> Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
> Cc: qemu-stable@nongnu.org
> ---
>  hw/scsi/scsi-bus.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index f50b2f0..f0ae462 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
>  int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
>  {
>      int rc;
> +    int len;
>  
>      cmd->lba = -1;
> -    cmd->len = scsi_cdb_length(buf);
> +    len = scsi_cdb_length(buf);
> +    if (len < 0) {
> +        return -1;
> +    }
>  
> +    cmd->len = len;
>      switch (dev->type) {
>      case TYPE_TAPE:
>          rc = scsi_req_stream_xfer(cmd, dev, buf);


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
  2015-07-22 14:27 ` Daniel P. Berrange
@ 2015-07-22 16:22   ` Paolo Bonzini
  0 siblings, 0 replies; 4+ messages in thread
From: Paolo Bonzini @ 2015-07-22 16:22 UTC (permalink / raw)
  To: Daniel P. Berrange; +Cc: qemu-devel, qemu-stable



On 22/07/2015 16:27, Daniel P. Berrange wrote:
> On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> > This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> > and newer.  scsi_cdb_length returns -1 as an error value, but the
> > caller does not check it.
> > 
> > Luckily, the massive overflow means that QEMU will just SIGSEGV,
> > making the impact much smaller.
>
> FWIW, would be nice to mention which disk frontends could trigger
> this bug. eg was it all of the devices in hw/scsi/ or just a subset ?

All of them.

Paolo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
  2015-07-22 14:18 [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Paolo Bonzini
  2015-07-22 14:27 ` Daniel P. Berrange
@ 2015-07-23  1:35 ` Fam Zheng
  1 sibling, 0 replies; 4+ messages in thread
From: Fam Zheng @ 2015-07-23  1:35 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: qemu-devel, qemu-stable

On Wed, 07/22 16:18, Paolo Bonzini wrote:
> This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> and newer.  scsi_cdb_length returns -1 as an error value, but the
> caller does not check it.
> 
> Luckily, the massive overflow means that QEMU will just SIGSEGV,
> making the impact much smaller.
> 
> Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
> Cc: qemu-stable@nongnu.org
> ---
>  hw/scsi/scsi-bus.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index f50b2f0..f0ae462 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
>  int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
>  {
>      int rc;
> +    int len;
>  
>      cmd->lba = -1;
> -    cmd->len = scsi_cdb_length(buf);
> +    len = scsi_cdb_length(buf);
> +    if (len < 0) {
> +        return -1;
> +    }
>  
> +    cmd->len = len;
>      switch (dev->type) {
>      case TYPE_TAPE:
>          rc = scsi_req_stream_xfer(cmd, dev, buf);
> -- 
> 2.4.3
> 
> 

Reviewed-by: Fam Zheng <famz@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-07-23  1:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-22 14:18 [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Paolo Bonzini
2015-07-22 14:27 ` Daniel P. Berrange
2015-07-22 16:22   ` Paolo Bonzini
2015-07-23  1:35 ` Fam Zheng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).